High resource usage when verifying a signature

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Jul 19 01:42:34 CEST 2015

Hi Johannes--

On Sat 2015-07-18 15:57:09 +0200, Johannes Zarl-Zierl wrote:
> I've noticed that sometimes gpg2 will take around 1-2 minutes on my desktop PC 
> attempting to verify an email signature.

what version of gpg2 are you using?

> At first, I thought that maybe the increasing prevalence of really big keys 
> would increase the computational complexity, or that the keyserver 
> communication is taking so long, but this does not seem the case.
> I'm pretty sure this happens on different kinds of keys, but today I noticed 
> it on a 1024 bit DSA key. Looking into top revealed that my email program had 
> spawned a gpg2 process that was using 100% of a single CPU core:
> gpg2 --enable-special-filenames --batch --no-sk-comments --status-fd 22 --no-
> tty --charset utf8 --enable-progress-filter --display :0 --verify -- -&23 -&25
> Opening the same email a second time happens more or less instantaneously (as 
> far as I know, kmail does not cache the verification).
> Is this behaviour to be expected? Is this some computation that happens only 
> the first time a new key is encountered?

I suspect what's taking a long time is an update to the trustdb.  one
workaround is to put no-auto-check-trustdb in ~/.gnupg/gpg.conf, and
then have a nightly cronjob that runs "gpg2 --check-trustdb".


More information about the Gnupg-users mailing list